Method computer program product and computer system for modifying roles that trigger application services

ABSTRACT

The present invention discloses a method, computer program product and system for adjusting roles in a computer system ( 100 ) that launch application services ( 301 - 307 ) by a first user who is assigned to at least one role. A first role ( 110 ) calls a second role ( 150 ) by reference ( 111 ). Both roles comprise representations of applications services ( 101, 102, 103 ) and ( 104, 105 ). When representations in the second role are modified, for example, application services are added ( 106, 107 ), a delta list ( 112 ) for the first reference is automatically created to conditionally prevent the first role ( 110 ) from referencing to at least some of the modified representations of the second role ( 150 ). This is achieved by using a rule database ( 118 ) containing rules about application services that are mutually exclusive and checking for conflicts between the representations of the first role and modified, second role. A second user, e.g. a system administrator, can accept or reject automatically created delta entries ( 114 ) in the delta list ( 112 ).

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention generally relates to a role-based computersystem that triggers computer application services, and moreparticularly, relates to a method, computer program product and systemfor adjusting the roles in a continuously changing business environment.

[0003] 2. Description of the Prior Art

[0004]FIG. 1 illustrates a simplified diagram of computers 1 to N thatare interconnected by local area networks (LAN) or wide area networks(WAN), or other computer networks known in the art. A computer useridentifies himself or herself to a so-called role system (e.g., oncomputer 3) via a human interface, such as a display screen with akeyboard as input device or the like (e.g., on computers 1-2) and usessome or all of applications services (“AS”, e.g., on computers 4-6).

[0005] Such computer based systems are used and of vital importance inalmost all organizations such as, for example, manufacturing facilities,travel agencies, call centers, financial institutions, businessorganizations, etc.

[0006] In each organization, groups of users with similarresponsibilities share application services that are part of businessapplications and used in business processes, whereas other groups ofusers with other predefined responsibilities require other applicationservices of other business applications that are used in the same orother business processes. Business applications providing theapplication services (AS) are hosted, for example, on dedicatedcomputers 4 to 6. The role system hosted on computer 3, providespredefined representations of these application services to the user(not shown in FIG. 1). The predefined representations are assigned toroles (e.g., 10, 11, 12). The application services belonging to aspecific role are displayed to the user by a human interface (e.g., onthe display devices of front end computers 1, 2, . . . , N), forexample, by graphical symbols like icons. The application services ASthat are assigned to different roles are complementary in a way thatthese roles all together cover all application services that need to beperformed in a specific business process.

[0007] In other words, roles link users and business processes. Forexample, a purchasing agent gets access to all application services thathe or she needs within the order fulfillment process, such as, checkingsupplier prices for a certain product over the internet and executing apurchasing transaction for that specific product. In parallel thepurchasing agent might be involved in a new product development process,where new suppliers have to be identified for new parts and prices haveto be negotiated for these new parts. All required applications servicesto support these business processes can be conveniently accessed by theuser, who gets assigned to the role of a purchasing agent.

[0008] It is an advantage that within a role the total number ofapplication services that are available in the connected applicationsystems are not displayed. Rather roles only display applicationservices that are required by a specific user. Thereby, roles helphiding the complexity of the overall system landscape from the user.This improves the usability of the human interface for the user.

[0009] However, application services constantly change; it is in thediscretion of the organization to remove, add or otherwise modify theapplication services, for example, when business processes within theorganization change, or when application services are updated (e.g., bya new release of an application system). This becomes especiallyimportant for managing organizational knowledge, as this knowledge gainsmore and more relevance in the execution of business processes. That is,document services that provide this knowledge are sometimes changeddaily in periods of organizational change.

[0010] Further, the users of these application services change too:people join or leave the organization, get promoted or shiftresponsibilities within the organization. When people are replaced, theroles remain the same, but when people enhance their skill set throughtraining, then their roles need to be adjusted.

[0011] Still further, the selection of services that are available to asingle user at all must comply with predefined rules and criteria. Forexample, a user must be prevented from accessing conflicting services,specific users must have access to mutually dependent services.

[0012] Therefore, the role system (also “role repository”) constantlyrequires an adjustment of its role definitions. This makes themanagement of role system difficult and requires a lot of manual roleadministration work. For example, a role administrator has to modifyeach role manually. Often a small change in a business process hasimpact on many different roles. The administrator, further, has tocontrol the role consistency across all roles, whenever role upgradesare implemented or when roles change for other reasons, as explainedbefore. This can affect hundreds of roles where the administrator needsto compare the changes with the predefined rules and criteria foravoiding conflicting services within a role.

SUMMARY OF THE INVENTION

[0013] The present invention provides method, computer program productand system for an improved role management. The invention solves thetechnical problem of automating role modifications that are imposed onan organization by the reasons described in the previous section. Theautomation of role modification is achieved by introducing a “delta listconcept” in combination with a “call by reference concept” for rolesthat reference to other roles. In large organizations the number ofroles can be higher than 1000. There is the technical problem of keepingall of these roles consistent according to legal requirements and theorganization's policy.

[0014] The “delta list concept” in combination with the “call byreference concept” and the usage of a “rule data base” as defined inclaims 1-18 also solves the technical problem of keeping a large numberof roles consistent within an organization. The “call by referencefeature” allows instant availability of all modifications of a childrole for all parent roles that reference the child role and the “ruledata base” ensures that all entries that are created in the delta listfor the corresponding references between roles abide with the legalrequirements and the company policy without needing human input.

[0015] Further, the access of a role to application services is criticalfor an organization from a security point of view. Therefore, specificusers need to access additional application services that are notaccessible through their roles or the users have to be prevented fromaccess to application services that can be accessed through their roles.In both cases a technical problem arises to overrule automaticallycreated delta lists that were created on the basis of the rule data basebecause for specific roles that are assigned to these specific users therule data base might not apply and an exception is required. Thefeatures of claim 7 define a solution to this problem through providingthe possibility for an administrator to reject or accept all of themodifications of a role.

[0016] The solution provided by the present invention is directed to:

[0017] a) a method as defined in claims 1-13 for modifying roles thatlaunch application services;

[0018] b) a computer program product as defined in claims 14-16 forproviding representations of application services to a user depending onthe user's roles;

[0019] c) a computer system as defined in claims 17 and 18 for launchingapplication services through roles and for modifying the roles; and

[0020] d) a computer-readable medium as defined in claims 19-22 having aplurality of sequences of instructions stored thereon, for performingthe steps of the method under a) when executed by one or moreprocessors.

[0021] These and other features of the present invention will be clearfrom a description of preferred embodiments with reference to theaccompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

[0022]FIG. 1 illustrates a simplified diagram of a computer network withcomputer systems 1-6 that are interconnected;

[0023]FIG. 2 illustrates a first operating state of a role system thatis coupled to application services and operates according to the presentinvention;

[0024]FIG. 3 illustrates a second operating state of the role systemthat is coupled to application services;

[0025]FIG. 4 illustrates a simplified flowchart diagram of a method tomodify roles by creating a delta list;

[0026]FIG. 5 illustrates a preferred embodiment for step 440 in themethod shown in FIG. 4;

[0027]FIG. 6 illustrates a preferred embodiment of the interrogatorshown in FIG. 3;

[0028]FIG. 7 illustrates a role hierarchy diagram;

[0029]FIG. 8 illustrates a simplified block diagram of a computer systemfor launching application services through roles and modifying theroles; and

[0030]FIG. 9 illustrates a preferred embodiment of presentingrepresentations of application services to the user.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

[0031]FIG. 2 illustrates a first operating state of a role system 100that operates according to the present invention and is coupled toapplication services 301-307 (labeled “AS”). Application services301-307 are provided by a plurality of application systems 350. Forconvenience of explanation the single systems comprised by plurality 350are not shown. Each system in plurality 350 is connected to role system100 for the data transfer between role system 100 and plurality 350 ofapplication systems. The present invention is embodied in role system100; application services 301-307 as such are known in the art.

[0032] For convenience of explanation, role system 100 and applicationservices 301-307 are considered as computer program products. System 100comprises roles 110, 150 with application service representations101-107 (labeled “ASR”). These application service representations101-107 have logical connections (dashed arrows 101-1 to 107-1) toapplication services 301-307, respectively. Application servicerepresentations 101 to 103 are assigned to role 110 and applicationservice representations 104 to 105 are assigned to role 150. Theassignments are shown as solid lines 101-2 to 105-2 between therepresentations 101 to 105 and roles 110 and 150.

[0033] Roles 110 and 150 have a parent-child relationship 111, whereinthe parent role 110 calls the child role 150 by reference 111. Itis-important that roles 110 and 150 not necessarily need to provide allapplication services that are needed by a user of an organization butcan also simply be considered as building blocks for other roles.

[0034] System 100 and services 301-307 can be software implemented onone or more computers that comprise one or more processors, memory,buses, local or wide area networks, and other elements. Data formats anddata protocols for data exchange between the different components in thenetwork are known in the art and therefore not discussed further.

[0035] When the user wants to logon to role system 100, initially, rolesystem 100 requests an identification from the user to determine whatrole is assigned to the user. Also further roles can be assigned to theuser, when the user needs access to further application services that donot have representations in the user's first role . Once the roles aredetermined, system 100 launches for the user the application services301-305 through application service representations 101-105 or 104-105only, depending on the user's assignment to either first role 110 orsecond role 150, respectively.

[0036] The term “launch” means to trigger the execution of a requestedapplication service. This can be done either with or without additionalinteraction by the user. In case of interaction, system 100 optionallyoffers the user graphical representations (like icons, text on thescreen) of application services 301-307. The user selects one of thegraphical representations and the corresponding application service islaunched in the corresponding application system. The order of thegraphical representations is not limiting the scope of the invention;however, optionally, the order can be pre-defined, for example, to showthe graphical representations in the same order as the correspondingapplication services need to be executed within a business process.

[0037]FIG. 3 illustrates a second operating state of role system 100according to the present invention, where roles 110 and 150 (cf. FIG. 2)are modified during the operation of system 100 (cf. method 400 in FIG.4) because, for example, a business process that was changed in theorganization now requires the adjustment of roles according to thechanges. For simplicity of explanation, it is assumed that additionalrepresentations of application services (106 and 107) are assigned(106-2, 107-2) to role 150. Persons of skill in the art can applymodification of roles as described in the present invention also whenrepresentations of application services are removed or replaced from arole.

[0038] Elements of role system 100 that facilitate role modificationsaccording to method 400 described in FIG. 4 are illustrated in FIG. 3: adelta generator 113 receives modification data from first role 110through connection 120. The modification data are compared with rulesstored in rule database 118 that is connected 119 to delta generator113. It is not limiting for the invention that rule data base 118 is notpart of role system 100 (as shown in FIG. 3). Delta generator 113creates delta list 112 assigned to reference 111 through connection 199.Interrogator 115 also receives modification data form first role 110through connection 120 and updates delta list 112 through connection129. Details are explained under FIGS. 4-9.

[0039]FIG. 4 illustrates a simplified flowchart diagram of method 400according to the present invention. Method 400 is performed, preferably,by role system 100 for modifying roles that launch application services(e.g., 301-307) for a first user (not shown) who is assigned to eitherrole 110 or to role 150. Method 400 comprises the steps representingservices 410, referencing roles 420, modifying representations 430, andcreating delta list 440.

[0040] In step 410, system 100 represents application services 301-305in role 110 with a first set (e.g., 101, 102, 103) of representationsand role 150 with a second set (e.g., 104, 105) of representations.System 100 visualizes these sets of representations for each role 110,150 on a display device (e.g. monitor) by using, for example, a specificicon for each representation. Preferably, system 100 provides (step 410)representations of the first set (101, 102, 103) and of the second set(104, 105) that are different. In other words, the intersection betweenthe first and second set is zero. That means that each role 110, 150only comprises the minimum of service representations that are requiredby the business processes to avoid redundancies in the content of roles.

[0041] In step 420, first role 110 calls second role 150 by reference111.

[0042] In step 430, system 100 modifies (e.g. by installing a roleupgrade) the second set of representations 104, 105 in role 150 (e.g.,resulting in 104, 105, 106, 107 cf. FIG. 3). Via reference 111, thesemodifications become instantly valid for role 110, as well.

[0043] In step 440, delta generator 113 and interrogator 115 createdelta list 112 with delta entries 114 for reference 111. Preferably,delta list 112 prevents role 110 from referencing to at least some ofthe modifications in the second set of representations 104, 105, 106,107 in role 150. The assignment of delta list 112 to reference 111 issymbolized as dotted line 116 in between. In the example shown in FIG. 3predefined rules in rule data base 118 (further details below) cause thedelta generator 113 to conclude that application service representation106, although now assigned to role 150, must not be part of role 110.Therefore, delta generator 113 creates delta list 112 and writes deltaentry 114 “−106 ” into delta list 112. The minus sign of delta entry“−106” (cf. FIG. 3) illustrates exclusion of representation 106 fromrole 110.

[0044] To look more into details of method 400, in step 430, system 100modifies the second set of representations (104, 105) (cf. FIG. 2) inrole 150 by adding or removing representations of application services.For added representations 106, 107 (cf. FIG. 3), delta generator 113creates delta list 112 as an exclusion list-(negative delta entries114). System 100 prevents role 110 from launching application services306 where the corresponding representations 106 are excluded by deltalist 112 through delta entry 114 “−106”. Accordingly, forrepresentations removed from the second set, delta generator 113 createsdelta list 112 as an inclusion list indicating these representationsthat have been removed from role 150 but that are still to be launchedby role 110. Delta generator 113 creates list 112 without humaninteraction, for example, by applying rules stored in look-up ruledatabase 118 connected 119 (cf. FIG. 3) to delta generator 113; or,interrogator 115 modifies delta list 112 with user interaction, forexample, by asking for confirmation of the modifications of role 110(details in FIG. 5).

[0045] Turning back to FIGS. 2-3, method 400 is now explained by a firstexample. FIG. 2 illustrates the state of system 100 after completion ofrepresenting services 410 and referencing roles 420; and FIG. 3illustrates the state after completion of modifying representations 430and creating delta list 440. As in FIG. 2, system 100 is delivered tousers with predefined roles 110 and/or 150 for launching applicationservices 301-305. Roles 110 and 150 are related, i.e. role 110 being the“parent” role and role 150 being the “child” role. Role 110 comprisesrepresentations 101, 102 and 103 (first set) to applications services301, 302 and 302, respectively. Reference 111 is a pointer to thecomplete role 150, that is to all representations in role 150. Role 150comprises representations 104 and 105 (second set) to applicationsservices 304 and 305, respectively. Due to the inter-role referencing111, for a role 110 user, system 100 launches not only services 301-303but also launches services 304-305. For a role 150 user, system 100launches services 304-305 only.

[0046] As in FIG. 3, new representations of application services 106 and107 referring to application services 306 and 307 are added to role 150in accordance with step 430 to modify the second set of representations104, 105. According to the present invention, both roles 110, 150 areupdated instantaneously. Role 150 then comprises the modified second set104, 105, 106, 107.

[0047] To comply with the above mentioned predefined rules stored inrule database 118, delta generator 113 creates delta list 112, here inthe example with delta entry 114 “−106”. In case service 306 conflictswith service 301 if performed by the same role, delta generator 113detects this conflict comparing the combination of the correspondingrepresentations 101 and 106 with the rules in rule data base 118 andwrites delta entry 114 “−106” into delta list 112. The minus sign in“−106” illustrates exclusion of representation 106. It is not requiredby the invention that a rule data base 118 is part of system 100. Now,role 110 is prevented from referencing to representation 106 in themodified second set in role 150. Therefore, service 306 is excluded frombeing launched by role 110. A person using system 100 in role 110 now isable to use services 301-305 and in addition service 307.

[0048] The use of delta list 112 according to the present inventioneases the management of the role system 100. For example, in the priorart role system, each role modification requires the creation of newversions for all dependent roles, these are all roles that reference tothe modified role directly or indirectly through other roles. The priorart role system leads to a complex role network that simultaneously usesdifferent versions of the same role. By using delta lists as describedin the present invention, only one actual version of each role 110, 150is needed, wherein all modifications are reflected in the actual versionof the modified roles 110, 150 and the delta list 112. As a result,system 100 calculates the representations of application services ASRthat can launch corresponding application services AS from role 110 asthe sum of:

[0049] a) all representations assigned to the parent role 110,

[0050] b) all representations assigned to the child role 150 and

[0051] c) all delta entries 114 in delta list 112 assigned to reference111 between the roles.

[0052]FIG. 5 illustrates a preferred embodiment for method step 440creating delta list in method 400 of FIG. 4. System 100 creates deltalist 112 by: informing a second user 442 about the modification to thesecond role 150 through interrogator 115, e.g. via display (cf. FIG. 6);and receiving 444 from the second user the instruction to accept or toreject some or all of the modifications (e.g., by reading a key stroke);and—in case of instructions from the second user—updating 446 delta listaccordingly.

[0053] Preferably, the “second user” is a person different from a personassigned to role 110 or 150. Usually, the “second user” is anadministrator of role system 100.

[0054]FIG. 6 illustrates a preferred embodiment of interrogator 115.Letters in italics symbolize text that is displayed in a confirmationform 121 to a user on a display. Confirmation form 121 is generated byinterrogator 115 based on modification information provided by role 110.Form 121 comprises role identification 122 (role ID) of the modifiedrole as well as tables 123 and 124 showing all relevant modifications ofrepresentations (“ASR” column) that occurred in child roles (“role oforigin” column) and already existing delta entries (“delta entry”column) for the modified representation. Thereby, table 123 refers toadded application service representations and table 124 refers toremoved application service representations. The second user accepts orrejects the modifications for role ID 122 by either selecting an“accept” radio button 125-1 out of a first plurality 125 of radiobuttons or a “reject” radio button 126-1 out of a second plurality 126of radio buttons for each modified representation. By pushing theOK-button 127 the second user starts the interrogator 115 to updatedelta list 112 accordingly.

[0055]FIG. 7 illustrates, in a second example, a further role hierarchydiagram for multiple roles in system 100, wherein roles 160(“RESPONSIBLE FOR VENDOR INVOICES”) and 170 (“RESPONSIBLE FOR CASHDISBURSEMENTS”) represent parent roles that call the child roles 140(“PAYMENT MANAGEMENT”), 180 (“VENDOR MASTER DATA MANAGEMENT”) and 190(“GL ACCOUNTS DISPLAY”) by references 111-1 to 111-6. Each child rolehas two parents (roles 160 and 170) because roles 160 and 170 have ahigh overlap in jointly used representations of application services:

[0056]101′ (“CREATE VENDOR MASTER DATA”) assigned 101 ′-2 to role 180,

[0057]102′ (“DISPLAY VENDOR MASTER DATA”) assigned 102′-2 to role 180,

[0058]104′ (“SHOW PAYMENT”) assigned 104′-2 to role 140,

[0059]105′ (“SHOW PAYMENT RUN”) assigned 105′-2 to role 140,

[0060]106′ (“CREATE PAYMENT”) assigned 106′-2 to role 140,

[0061]107′ (“DISPLAY GL ACCOUNT”) assigned 107′-2 to role 190, and

[0062]108′-2 (“DISPLAY GL ACCOUNT GROUPS”) assigned 108′ to role 190.

[0063] The representation 103′ (“CREATE VENDOR INVOICE”) is assigned103′-2 to role 160 only. The rule data base 118 (cf. FIG. 3) contains arule that indicates that representation 103′ (“CREATE VENDOR INVOICE”)and 106′ (“CREATE PAYMENT”) must not be performed by the same role asthis combination holds a considerable risk (loss of cash) for thecompany. A user who is assigned to a role that provides servicerepresentations 103′ and 106′ simultaneously could release paymentswithout further control for any invoice (of any amount) that he or shecreated. Role 160 calls role 140 by reference 111-3 and role 140 hasrepresentation 106′ assigned to it. Therefore, the described risk arisesfor role 160 with the shown relationships. Delta generator receives datafrom role 160 through connection 120′. Delta generator 113 detects allpossible conflicts by comparing all combinations of representations inrole 160 with the rules in the rule data base 118 (cf. FIG. 3). Then,delta generator 113 resolves the conflict by creating (throughconnection 199′) a delta list 112-3 that is assigned to reference 111-3(dotted line 116′) and writing delta entry 114′ (−106′) to delta list112-3. Thus, role 160 can launch an application service that isrepresented by representation 103′ but not by representation 106′. Asusers can be assigned to any role at any hierarchy level the usage ofdelta lists minimizes the business control risks that a company wouldencounter through poor role design.

[0064]FIG. 8 illustrates a simplified block diagram of a computer system500 according to the present invention. System 500 launches applicationservices (301-307, cf. FIGS. 2-3) by a first user who is assigned toeither a first role or to a second role. Computer system 500 preferablycomprises a digital processing unit 501 (processor) and a memory 502.The system is characterized by:

[0065] a first means 510 for representing the application services inthe first role with a first set of representations and in the secondrole with a second set of representations (cf. FIGS. 2-3; e.g. roles110, 150; e.g. ASR 101-105);

[0066] a second means 520 for referencing from the first role to thesecond role by a first reference;

[0067] a third means 530 for modifying the second set of representationin the second role; and

[0068] a forth means 540 for creating a delta list (e.g. delta list 112;cf. FIG. 3) assigned to the first reference (e.g. reference 111; cf.FIG. 3). Preferably the delta list prevents the first role fromreferencing to at least some of the modifications in the second set ofrepresentations.

[0069] Preferably, means 510 to 540 are implemented as executableprogram code in memory 502 and can be executed by processor 501. Theexecutable program code can be loaded into memory 502 from a computerreadable medium 505 via input device 503. All components of system 500are connected via a bus 590. A person skilled in the art can implementmeans 510-540 by using the functions of processor 501 and memory 502 ofsystem 500.

[0070] A preferred embodiment of data structures and how these datastructures are used by system 500 is explained in the following. Alldata structures reside in memory 502 and are processed by processor 501.A first data structure is a data table that comprises the assignment ofroles to users (table 1). For example role 160 is assigned to user U1,role 170 is assigned to user U2 and roles 140 and 190 are assigned touser U3. When a user logs on to the role system 500 the correspondingassignment that is stored in table 1 in memory 502 is executed byprocessor 501. TABLE 1 User-to-role assignment table User Role U1 160 U2170 U3 140 U3 190 . . . . . .

[0071] A second data structure is the Inner-Role-Assignment table (table2), where the assignments of application service representations toroles and the assignments of roles to other roles (through references)are stored in memory 502. The content of table 2 corresponds to the rolehierarchy example in FIG. 7. For example parent role 160 has reference111-1 to child role 180 (second row of table 2). Application servicerepresentation (ASR) 103′ is assigned to parent role 160 throughassignment 103′-2 (third row of table 2). Means 520 uses processor 501to build the complete role hierarchy by reading table 2 from memory 502and executing all reference calls. Processor 501 also executes allassignments of table 2. TABLE 2 Inner-Role-Assignment table Parent ChildRole Role Reference ASR Assignment 160 180 111-1 160 103′ 103′-2 160 140111-3 160 190 111-4 170 180 111-2 170 140 111-5 170 190 111-6 180 101′101′-2 180 102′ 102′-2 140 104′ 104′-2 140 105′ 105′-2 140 106′ 106′-2190 107′ 107′-2 190 108′ 108′-2 . . . . . . . . . . . . . . .

[0072] Means 510 provides a visualization of application servicerepresentations on a display similar to the one shown in FIG. 9 to theusers U1, U2, . . . according to the roles assigned to the users intable 1and the inner-role-assignments in table 2.

[0073] Means 530, for example, can implement a role upgrade thatmodifies application service representations in roles by readingcorresponding role data with an input device from a computer readablemedium and storing these data in table 2.

[0074] The delta generator 113 is implemented in means 540 (cf. FIG. 7).Means 540 compares the content of table 2 for each role (e.g. role 160in FIG. 7) with the content of a third data structure.

[0075] The third data structure is a rule data base 118 (cf. FIG. 3)that needs not to be part of system 500. The rule data base is loadedinto memory 502 through, for example, a bus or another networkconnection and is stored in table 3. The rule data base in table 3comprises a first column with a first application service representation(ASR 1), such as 103′, and a second column with a second applicationservice representation (ASR 2), such as 106′, wherein the two servicerepresentations are conflicting when accessible through the same role(e.g. role 160). Means 540 first identifies all combinations ofapplication service representations that are assigned to a parent roleeither directly or indirectly through referenced roles (cf. table 2) andthat are in conflict according to the content of table 3. TABLE 3 RuleData Base ASR 1 ASR 2 103′ 106′ . . . . . .

[0076] Means 540 then creates a delta list (e.g. delta list 113 in FIG.7) in case a conflict is identified as described in the previousparagraph. The delta list is a fourth data structure that is stored intable 4 and resides in memory 502. Using processor 501 means 540 writesthe corresponding delta entries (e.g. delta entry 114′ (−106′)) intotable 4. Each entry in table 4 comprises

[0077] a) the parent role, where the conflict was identified (e.g. role160),

[0078] b) the reference (e.g. 111-3) to a child role that caused theconflict by being modified and

[0079] c) the delta entry (e.g. delta entry 114′; cf. FIG. 7) thatdescribes, which application service representation of the child role(e.g. 106′) has to excluded or included for the parent role. TABLE 4Delta list Role Reference Delta entry 160 111-3 −106′ . . . . . . . . .

[0080] Having described details of the invention by method and system isconvenient for explanation. To summarize the present invention, it isnow described as a computer program product. Computer program productcomprises a sequence of instructions for a general purpose processor(e.g. the processor 501 of system 500) that, when executed, causes thefollowing:

[0081] (a) a plurality of roles (110, 150) is hierarchically related toeach other with parent roles (110) and child roles (150), wherein parentroles (110) call by reference to child roles (150) and child roles canhave multiple parents; and

[0082] (b) modifications to child roles (150) are evaluated for therelated parent role (110) such that the reference (111) from the parentrole (110) to the child role (150) receives a delta list (112) for someof the application services represented by the related child role (150).

[0083] The computer program product presents all services that resultfrom the particular parent role (110), the referenced child role (150)and the delta list (112) on a display to the user who is assigned to aparticular parent role (110).

[0084] The present invention can also be defined as computer-readablemedium 505 (“article of manufacture”) having a plurality of sequences ofinstructions stored thereon which, when executed by a processor (e.g.processor 501 of system 500, or more processors), cause it to performthe steps of method 400. In the example, of FIG. 8, medium 505 isillustrated as a CD-ROM that is inserted into and readable by an inputdevice (not shown) of system 500.

[0085]FIG. 9 illustrates preferred method step 450 of presenting ondisplay 501 to the first user the first set 101-103 and second set104-10) of representations of application services under considerationof the delta list “−106”. Different graphical representations ofrepresentations 101-105 and 107 indicate different types of thecorresponding application services 301-305 and 307. Different types ofan application service can be, for example, a business transactionservice, a web service, a document service or any other service typethat can be accessed through a role. For example,

[0086]101 is displayed as a data entry mask being always ready for dataentry through the first user;

[0087]102 is displayed as a graphical report showing the currentdevelopment of a KPI (Key Performance Indicator) of the first user;

[0088]103 is displayed as a triangle icon, which stands for aninformation service, such as company news;

[0089]104 is displayed as a circle icon, which stands for a businesstransaction, such as ‘create vendor invoice’;

[0090]105 is displayed as a square icon, which stands for a web service,such as an internet search engine;

[0091]107 is displayed as a rhombus icon, which stands for a documentservice, such as a document describing a specific business process.

[0092] Graphical representation of service representations can beperformed otherwise, for example, by one or more selected from thefollowing:

[0093] showing a text on a computer display;

[0094] showing an icon on a computer display;

[0095] showing a video sequence on a computer display, wherein thesequence symbols the action expected by the application service;

[0096] showing a table;

[0097] showing a hyperlink;

[0098] presenting prerecorded audio data via a speaker;

[0099] presenting a voice message via a speaker, wherein the message isgenerated from a voice generator;

[0100] dialing phone connection;

[0101] checking a user authentication with password and issuing an alarmmessage.

1. Method (400) for modifying roles that launch application services(301-307) for a first user who is assigned to at least one role, themethod (400) comprising the following steps: representing (410) theapplication services (301, 302, 303) that are assigned to a first role(110) with a first set of representations (101, 102, 103) and theapplication services (304, 305) that are assigned to a second role (150)with a second set of representations (104, 105); referencing (420) fromthe first role (110) to the second role (150) by a first reference(111); modifying (430) the second set of representations (104, 105) inthe second role (150); and creating (440) a delta list (112) for thefirst reference (111).
 2. The method of claim 1, wherein the creatingstep (440) the delta list (112) prevents the first role (110) fromreferencing to at least one modification in the modified second set(104, 105, 106, 107) of representations of the second role (150).
 3. Themethod of claim 2, wherein the modifying step (430) the second set ofrepresentations (104, 105) in the second role (150) is modified byadding at least one representation (106, 107) to the second set ofrepresentations (104, 105).
 4. The method of claim 3, wherein thecreating delta list step (440) the delta list (112) indicatesrepresentations in the modified second role (150) that are excluded frombeing launched by the first role (110).
 5. The method of claim 2,wherein the modifying step (430) the second set of representations (104,105) in the second role (150).is modified by removing at least onerepresentation from the second set of representations.
 6. The method ofclaim 5, wherein the creating delta list step (440) the delta list (112)indicates representations that have been removed from the second set inthe modified second role (150) but that are still to be launched by thefirst role (110).
 7. The method of claim 1, wherein the step (440) ofcreating the′ delta list (112) is performed as follows: informing (442)a second user about the modification to the second role (150); andreceiving (444) from the second user the instruction to accept or toreject some or all of the modifications.
 8. The method of claim 7 withthe further step of updating (446) the delta list (112).
 9. The methodof claim 1, wherein said creating delta list step (440) compriseslooking up in a rule database (118), the rule database withrepresentations of application services that are mutually exclusive whenused by a single user.
 10. The method of claim 1, wherein said creatingdelta list step (440) comprises checking for conflicts between thesubset of the first role (110) and the modified subset of the secondrole (150).
 11. The method of claim 1, wherein the providing step (410)provides the first set (101,102,103) and the second, different set (104,105) of representations.
 12. The method of claim 2, wherein comprisingthe further step of presenting (450) to the first user the first set(101,102,103) and second set (104,105,106,107) of representations ofapplication services (301-307), depending on delta entries (114) in thedelta list (112).
 13. The method of claim 12, wherein the steppresenting (450) includes at least one selected from the groupconsisting of: showing a text on a computer display; showing an icon ona computer display; showing a video sequence on a computer display,wherein the sequence symbols the action expected by the applicationservice; showing a table; showing a hyperlink; presenting prerecordedaudio data via a speaker; presenting a voice message via a speaker,wherein the message is generated from a voice generator; dialing phoneconnection; checking a user authentication with password; issuing analarm message.
 14. A computer program product that providesrepresentations of application services (101,102, . . . ) to a userdepending on the role that is assigned to the user, wherein saidcomputer program product launches corresponding application services(301-307) through said representations characterized in that. (a) aplurality of roles (110, 150) is hierarchically related to each otherwith parent roles (110) and child roles (150), wherein parent roles(110) call by reference to child roles (150); and (b) modifications tochild roles (150) are evaluated for the related parent role (110) suchthat the reference (111) from the parent role (110) to the child role(150) receives a delta list (112) for some of the application services(301, 302, . . . ) represented by the related child role (150).
 15. Thecomputer program product of claim 14, wherein for a user who is assignedto a particular parent role (110), the computer program product presentsall services that result from the particular parent role (110), thereferenced child role (150) and the delta list (112).
 16. The computerprogram product of claim 14, wherein child roles (150) can have multipleparents.
 17. Computer system (500) for launching application services(301, 302, . . . ) by a user who is assigned to at least one role,comprising: a first means (510) for representing the applicationservices (301, 302, . . . ) in a first role (110) with a first set ofrepresentations (101,102,103) and in a second role (150) with a secondset of representations (104,105); a second means (520) for referencingfrom the first role (110) to the second role (150) by a reference (111);a third means (530) for modifying the second set of representation(104,105) in the second role (150); and a forth means (540) for creatinga delta list (112) for the reference (111).
 18. The computer system ofclaim 17 wherein the delta list (112) prevents the first role (110) fromreferencing to at least one modification in the second set ofrepresentations of the second role (150).
 19. A computer-readable medium(505) having a plurality of sequences of instructions stored thereonwhich, when executed by one or more processors, cause said one or moreprocessors to perform the steps of: representing (410) applicationservices (301, 302, . . . ) in a first role (110) with a first set(101,102,103) of representations and in a second role (150) with asecond set (104,105) of representations; referencing (420) from thefirst role (110) to the second role (150) by a first reference (111);modifying (430) the second set of representation in the second role; andcreating (440) a delta list (112) for the first reference (111).
 20. Thecomputer-readable medium of claim 19, wherein during execution, in thecreating step (440), the delta list prevents the first role (110) fromreferencing to at least one modification in the second set ofrepresentations of the second role (150).
 21. The computer-readablemedium of claim 19, wherein during execution, in the modifying step(430), the second set of representations in the second role is modifiedby adding at least one representation (106,107).
 22. Thecomputer-readable medium of claim 21, wherein during execution, whereinthe creating delta list step (440) the delta list (112) indicatesrepresentations in the modified second role (150) that are excluded frombeing launched by the first role (110).